Skip to main content
Solved

Windows Threats Curated Detections

  • June 25, 2025
  • 4 replies
  • 59 views
GSCoNist-
Forum|alt.badge.img+4

Hello, 

I am trying to understand what is and is not covered under the supported devices and log types for the Windows Threats curated detection. At my organization we use Microsoft Defender for Endpoint as our EDR source and while I see that listed in the "Alert Prioritization" section I dont see that under the "Supported devices and log types" section where it talks about testing against the detections. Is this document up-to-date - https://cloud.google.com/chronicle/docs/detection/windows-threats-category.

I saw this morning in the marketplace that there is a Microsoft Defender for Endpoint content pack but I am unsure what that does - it looks like it add curated detections that are in the above document but again I am not 100% sure MDE is covered as in our environement I have yet to see one of those detections go off and we have had multiple instances where the should have.

Best answer by JeremyLand

As long as its parsing correctly the data from MDE is largely compatible with the curated detections in the Windows Threats category; but you should take some time to review the required fields here against your mde events to make sure everything aligns as expected.

Broadly the required fields are listed here: https://cloud.google.com/chronicle/docs/detection/windows-threats-category#required_fields_needed_by_windows_threats_category

For a more specific look at why a rule didn't trigger you expected, we have recently enabled the content hub in preview and this will allow you to see the actual rule text for curated detections.  https://cloud.google.com/chronicle/docs/secops/content_hub#what_can_i_do_on_the_curated_detections_page From 'marketplace' - 'Curated Detections' you can use the filters or search for the rule you expected to trigger click 'View & Manage' and then click the 'Rule Definition' tab to view the rule text. Then you'll be able to investigate why the rule didn't trigger as expected.  This feature is in preview right now and we don't have the all rule bodies loaded for everything yet so some rules may throw an error if you try to view the definition, but most of the rules should be accessible.

    4 replies

    JeremyLand
    Staff
    Forum|alt.badge.img+7
    • JeremyLand
    • Staff
    • Answer
    • June 27, 2025

    As long as its parsing correctly the data from MDE is largely compatible with the curated detections in the Windows Threats category; but you should take some time to review the required fields here against your mde events to make sure everything aligns as expected.

    Broadly the required fields are listed here: https://cloud.google.com/chronicle/docs/detection/windows-threats-category#required_fields_needed_by_windows_threats_category

    For a more specific look at why a rule didn't trigger you expected, we have recently enabled the content hub in preview and this will allow you to see the actual rule text for curated detections.  https://cloud.google.com/chronicle/docs/secops/content_hub#what_can_i_do_on_the_curated_detections_page From 'marketplace' - 'Curated Detections' you can use the filters or search for the rule you expected to trigger click 'View & Manage' and then click the 'Rule Definition' tab to view the rule text. Then you'll be able to investigate why the rule didn't trigger as expected.  This feature is in preview right now and we don't have the all rule bodies loaded for everything yet so some rules may throw an error if you try to view the definition, but most of the rules should be accessible.

      GSCoNist-
      Forum|alt.badge.img+4
      • GSCoNist-Bronze 1
      • Author
      • Bronze 1
      • June 27, 2025

      Thanks for the response @JeremyLand. I'll have to go through and make sure that the fields are present in the logs. As for the marketplace I am getting an error that I am missing some entitlements. I know you mentioned these are recently enabled but do I need a specific permission cause right now I have full admin for our instance.

       

      JeremyLand
      Staff
      Forum|alt.badge.img+7
      • JeremyLand
      • Staff
      • June 27, 2025

      I get that same error message for that 'Password String In Command Line Or Process Path' and other rules that aren't loaded to content hub yet so it is likely related to that content still being filled in.  Try checking any of the 'Powershell Download from github.com' rules; if those load the rules text then it likely is not an actual entitlement issue and we may need to wait a little for the rest of the rules to get loaded.  If those 'powershell download' rules don't load then it may be an entitlement issue with your SecOps tenant and you should check with your account team or submit a support case to get it sorted out.

      GSCoNist-
      Forum|alt.badge.img+4
      • GSCoNist-Bronze 1
      • Author
      • Bronze 1
      • June 27, 2025

      I get that same error message for that 'Password String In Command Line Or Process Path' and other rules that aren't loaded to content hub yet so it is likely related to that content still being filled in.  Try checking any of the 'Powershell Download from github.com' rules; if those load the rules text then it likely is not an actual entitlement issue and we may need to wait a little for the rest of the rules to get loaded.  If those 'powershell download' rules don't load then it may be an entitlement issue with your SecOps tenant and you should check with your account team or submit a support case to get it sorted out.


      Thanks @JeremyLand I'll check back in for sure!

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.